On certain occasions, users may need to access resources or tools that are deemed untrusted by the organization. For example, they might need to visit untrusted websites using Microsoft Edge or use untrusted Microsoft Office applications like Word, PowerPoint, and Excel files that could potentially access trusted resources. This presents a double-edged sword for every enterprise: either compromise user productivity or risk enterprise security.
Windows Defender Application Guard is specifically designed to address these challenges. Simply put, Application Guard acts as a protective barrier between an untrusted session and the host system. If a user accesses an untrusted site using Application Guard, that session is isolated. All activities within this session are contained, ensuring the host system remains unaffected.
You can configure the parameters for Windows Defender Application Guard by creating a profile and then associating that profile with the device groups.
Profile Specification | Description |
---|---|
Enforce Defender Application Guard | Configure the level of Defender Application Guard protection.
|
Clipboard settings | This option allows you to restrict data transfer in the form of images, text, or both. |
Clipboard access | Regulate data transfer through the clipboard.
|
Data persistence | This option lets you retain user downloaded files and other items (e.g., favorites, cookies) across different Application Guard sessions. |
Print settings | Specify the type of printing either network or local printing, as well as, the type of file PDF or XPS. |
Saving files in the host | This option allows you to save user downloaded files during Application Guard sessions on the host system. |
Camera and microphone access | This option allows you to provide camera and microphone access for applications within the Application Guard. |
Certificate thumbprint | Configure this option to share root-level certificates with Application Guard. Upon providing the thumbprint, Application Guard will secure the matching certificates in an isolated container. |
Network boundaries | A Network Boundary, as the name suggests, enables enterprises to define their security perimeters by including only trusted sites, effectively excluding untrusted ones. Using this feature, you can fine-tune:
|